Category: Insider Threats

2017 brought a deluge of ransomware attacks and data breaches that caused headlines around the world. From the classroom to the boardroom, cybercriminals made their presence known. But in 2018, companies must also turn their attention to the rapidly growing presence of insider threats.
In my recent conversations with security professionals, the discussion has moved beyond debating what potential harm insiders could cause, to actually preparing for ways to detect and respond to security incidents.
Many organizations still believe the definition of an insider threat to be along the lines of a disgruntled employee who goes rogue, or one who sells company data and information on the Dark Web. And while these definitions still hold true, we must also prepare for many additional iterations of the insider threat.
Most recently, my colleague Richard Henderson elaborated on the many faces of insider threats, noting that in many cases, these threats were not malicious in nature. Overlooking security controls on cloud sharing services, unknowingly joining hostile Wi-Fi networks, leaving workstations unlocked all qualify as a threat. To err is to be human, and mistakes happen. But while employees may not act maliciously, these actions pose serious and real risks. In fact, we know that up to 43% of all data breaches are the result of insiders either inadvertently or maliciously putting data at risk.
Outpacing Insider Threat Evolution
Insider threats will continue to evolve in 2018, and companies will need to outpace this evolution in order to protect against, and mitigate these threats. This will require a robust and evolved security strategy, but on a base level, companies need to gain visibility into their endpoint devices. It is also critical to identify potential compliance and regulatory violations, and for companies to be on alert to the movement or storage of important data – whether it be customer or proprietary data. Knowing what important information exists on your company’s endpoints allows you to better quantify, and qualify, the risks inside your organization.
If the best offense is a good defense, then ensuring visibility and protection of your endpoints should be priority number one. At Absolute, we use our position embedded in the firmware of over one billion devices to help give visibility into and control over your important data assets. Our data at-risk discovery tools give you the ability to scan endpoints for sensitive files and remotely protect or remove them from the identified endpoints before they can be ex-filtrated to external storage devices or to the cloud. Our Insider Threat Prevention solutions also help you see all endpoints on and off the corporate network, remotely delete sensitive data on compromised devices, self-heal corrupt applications and understand the risk posed by users.
For more information on how to mitigate the risk of insiders, check out our whitepaper: The Enemy Within – Insiders Are Still the Weakest Link in Your Data Security Chain.

If you browsed the latest security headlines, you’d probably think the majority of data breaches were related to hackers, political activists, malware or phishing. While the latter two hint at it, the truth is that nearly half of all data breaches can be traced back to insiders in some capacity.
While we recently examined the rising of the politically motivated insider, the truth is that most incidents are traced back to employees who are just negligent or unaware, whether it’s accidentally emailing customer data to an external party or clicking a phishing link. I was recently invited to join the Forbes Technology Council and I wrote about The Many Faces of Insider Threats where I examined the different ways an insider can create an incident within your organization. Today, let’s take a closer look at the negligent insider.
Negligent Insiders Are the Hardest to Identify
Most “mistakes” come from negligent insiders. Unfortunately, these insiders are often the hardest to identify. With no malicious intent, these employees are just trying to be productive and independent, which sometimes leads them to circumvent IT, download insecure apps or mistakenly click that phishing link. The ‘ways’ that insiders put data at risk are always changing.
A combination of education and technology is the best approach to detecting and remediating negligent user behavior. While security training is pretty standard these days for new employees, it’s not uncommon for most organizations to forget to build in reminders or to update training over time. Employees may simply forget they aren’t supposed to email data or use open Wi-Fi networks.
Insider Threat Prevention Requires Visibility
With the explosion of cloud storage, SaaS and the growth in IoT, OT and IoT devices, there are now more ways than ever for data to be inappropriately shared, making it difficult to be 100% certain where company data and sensitive information may end up.
While I expect big things to come out of intent-based security, machine learning and AI, we don’t need to look to future technology to solve all of today’s problems with insiders. We’ll never shore up all the cracks in data security, but we can most definitely improve on the status quo.

Watch the movement of data – you need to be able to watch for the movement of critically important internal and customer data as it traverses within (and outside) your environment. Most organizations are solid on network monitoring, but lack control and visibility over data as moves onto devices or into the cloud.
Monitor for Shadow IT – look for applications and tools that have not been approved or vetted by your IT and security teams for use. While blocking all non-approved apps and tools could clamp down on productivity, it is critical to have plans in place when these apps may compromise sensitive data
Address endpoint security – ensure the physical security of your employee devices and the corporate data stored on those devices
Have a solid asset management solution – a solution gives you the capability to immediately respond to a lost or stolen device, closing the window of opportunity for an attacker to capitalize on the data or network access associated with a stolen device
Choose strong security layers – back up your asset management solution with full disk encryption, anti-virus and malware, VPN to minimize access to a device and the data it contains

Threats posed to your organization’s data aren’t always going to be malicious, but the risks they pose are serious and real. Being able to understand the multitudes of ways that data can be stolen and what those threats look like are critical to building a resilient enterprise that puts the protection of you and your customer’s data first.

A single person inside your organization holds the power to disrupt and cause costly damage. Up to 43% of all breaches are the result of insiders either inadvertently or maliciously putting data at risk, but it’s these privileged insiders that hold the necessary credentials and access to cause significant reputational damage. By far, the most nefarious of these insiders is the malicious insider with a strong moral, religious or political agenda.
In the past several years, we’ve heard about the rise of cyber crime syndicates and hacktivists, but these politically motivated attacks come from the outside. Here, we’re talking about attacks that originate from the privileged insider. These political activists are the latest form of insider threat – and they’re on the rise.
Political activism has been at the root of many incidents in the past and again in November’s Twitter scandal, where a single employee decided to delete President Trump’s Twitter account on their last day working at the organization. As I outlined in The Power of a Single Insider, a post I wrote for CSO Online, this incident is a harsh reminder for organizations to both understand critical points of failure and to assess current ways for monitoring the most privileged users.
The Danger of the Politically Motivated Insider
The Malicious Insider can cause a lot of damage, particularly if they are politically motivated. They already have the access and credentials to gain entry to your infrastructure and sensitive data. If their goal is politically motivated, they are going to want to spread the sensitive data far and wide, as quickly as possible.
Unfortunately, most malicious insiders aren’t often caught until the damage has been done. The scope of the damage caused by politically motivated breaches has led to Edward Snowden becoming a well-recognized name. It’s likely we’ll see more names elevated to household status until organizations rethink how to detect and prevent these kinds of insider threats.
Best Practices for Insider Threat Prevention
As with most IT scenarios, your best chance to mitigate these destructive political activists is to focus on prevention.
The best practices for improving your insider threat prevention program for malicious insiders is to:

Define acceptable baseline behavior and data access for people, based on their roles and responsibilities
Monitor for deviations in activity
Investigate noncompliant activity immediately
Invoke preemptive security measures, such as denying access or removing sensitive data from an endpoint, as soon as a potential compromise is discovered. Ideally, such actions are automated.

For most organizations, insider threat prevention often focuses on the network. Most organizations have pretty decent controls to monitor for network behavior, but once that data moves to the endpoint (whether it’s a USB drive or a mobile device), most organizations have no way to detect suspicious behavior, particularly if that endpoint moves off network.
You can invest in the best firewalls, network access controls, encryption, and SIEM technologies on the market, but your organization will still come up against the fallibility of endpoint security agents, which are inherently vulnerable. Traditional endpoint security agents can be corrupted, compromised and disabled, or simply lack the updates they need to work properly.
At Absolute, we use our privileged position embedded in the firmware of over one billion devices to help monitor your important data assets. Our data at-risk discovery tools give you the ability to scan endpoints for common or customized sensitive files and remove them from the identified endpoints before they can be ex-filtrated to external storage devices or to the cloud. Our Insider Threat Prevention solutions help you identify and remove suspicious individuals, get proactive alerts for suspicious activity, remotely delete data to remediate security incidents and solidify endpoint security protections with automatic reinstallation support.

October is National Cyber Security Awareness Month, a global campaign run annually to raise awareness about the importance of cybersecurity. We’ve asked some of our leading security experts here at Absolute to chime in on some of the most pressing issues in cybersecurity today. In the fourth and final part of this series, we bring you a glimpse of what the future looks like for one of today’s most serious threats, the insider. Richard Henderson, our Global Security Strategist, discusses his thoughts on how this risk will evolve and provides ideas on that to do about. You can also read last week’s Cybersecurity Awareness post, 10 Ways to Rethink Healthcare Security by Kevin Golas.
I spend a lot of time thinking about what cyber security will look like in the future. I think about how fast things seem to be changing in our lives from every angle and if we’ll ever be able to get ahead of it all. With that in mind, and with October being Cyber Security Awareness Month, I thought I’d spend some time considering what continues to be an elusive, critical threat: the insider.
One thing worth asking is can you ever really stop every insider threat? I don’t think we’re ever going to be able to get to a world where we can stop every possibility or cover every crack or corner. No security team will ever be able to give their executive leadership categorical assurances that they’ll be able to completely eliminate threats posed by insiders. After all, we have to trust (and we *should* trust) our friends and colleagues… but sometimes that trust will be betrayed. It’s no different than what we face in our personal lives.
I sometimes need to remind myself that not all breaches are intentional or malicious: the explosion of cloud services, the exponential growth in storage and bandwidth has created a whole new world of collaborative tools and technologies… and sometimes those tools can lead to unintentional misuse or sharing of customer and internal proprietary data. That makes me consider how new laws like the EU’s GDPR will impact organizations. When an insider unintentionally drops a huge dataset of customer data onto an unprotected AWS bucket, what will the regulatory impact be when that data is stolen or misused?
I worry about the explosion of IoT, OT and IIoT devices that are crowding our IP address space, and making it harder and harder for security teams to monitor all of the bits zipping around our networks. How much harder is it going to be to spot that key data point or log that points to an insider incident? Or worse: what if an insider decides to cause a failure in an IoT device that will have real-world kinetic impacts?
I wonder if the current data that shows rampant account sharing in many verticals including healthcare will improve? I suspect it won’t in the near-term: users just want to get their work done, and additional security controls in environments like healthcare often get in the way of providing patient care.
Changing Threat Response
That being said, I also expect to see changes in defenses to compensate: intent-based security will likely play a huge role, as will recent advances in machine learning and AI. I think some extremely risk-averse organizations may borrow a page from the Intelligence Community’s idea of “continuous evaluation.” In a nutshell, it’s the monitoring of employee data activities inside the workplace, and to a lesser extent, monitoring of life outside the office such as social media postings and public records (including police and bankruptcy records). While this opens an entirely new can of worms around privacy and snooping by employers, and likely won’t fly in places like the EU, I can see new automated tools being created and used to monitor key, privileged employees in highly sensitive roles or extremely regulated verticals.
In the same vein, I am often surprised that we don’t read more about “old school” techniques borrowed from spy thrillers – why aren’t we seeing more low level employees coerced financially (or through other means like extortion of a personal nature – compromising messages or photos, for example) to plug in a drive, click on executables, steal secrets, or provide access to key data assets.
I ask myself when every organization will treat the security of their data as one of the top risk priorities for their enterprise security teams… and that includes the executive leadership too.
Part of our future success in combating the threat of the insider is to build out a comprehensive plan from desk to server to cloud that has the ability to mitigate, detect, respond and most importantly, deter incidents by insiders. This is as much a process and procedure challenge as it is a technical one. We need to get our board and executive teams involved. They may be hesitant, or may not have a deep understanding of how catastrophic an insider attack can be, but ultimately the buck stops with them and your insider threat strategy must be integrated into your organization’s overall business strategy.
For more on mitigating the risk of insiders, read the whitepaper: The Enemy Within – Insiders Are Still the Weakest Link in Your Data Security Chain.

October is National Cyber Security Awareness Month, a global campaign run annually to raise awareness about the importance of cybersecurity. We’ve asked some of our leading security experts here at Absolute to chime in on some of the most pressing issues in cybersecurity today. In Part 2 of this series, we bring you insight from Jo-Ann Smith, our Director of Technology Risk Management & Data Privacy, who brings extensive insight into the complexities of compliance, security architecture design and forensic analysis to enterprises. See Part 1 in this series: Fostering Digital Citizenship in Education.
Cybersecurity in the workplace is everyone’s business. Why? Because insider threats remain the top vulnerability for organizations across all industries. Up to 43% of all breaches are the result of insiders either inadvertently or maliciously putting data at risk, whether that’s clicking a phishing link, uploading files to the cloud, losing a device or the unsuspecting insider whose identity has been compromised. Insiders have the necessary credentials and access to do significant damage to your business – and most of this damage happens accidentally. A recent SANS survey found that insider threats continue to be one of the top threats organizations face and that data exfiltration is increasingly focused on user credentials and privileged account information, a situation which will inevitably lead to greater unsuspecting insider threats.
Only true visibility and a preventive approach can unmask the insider threat and mitigate the risk. Here are the top 5 ways that organizations can protect against the most common insider threats:
1. Understand that insider threats come in all shapes and sizes. Understanding how motivation, behavior and negligence lead to insider threats can be key to mitigating these risks. Prepare programs that address the three most common types of insiders: negligent, malicious and unsuspecting.

2. Create a culture of security. The National Institute of Standards and Technology (NIST) Cybersecurity Framework states that security be a core element of an organization’s culture and services, helping create a culture that is more adaptable to the changing risk landscape. Such a culture would also support open dialogue on data risks and challenges to improve organization-wide learning about security best practices. Establishing this “tone from the top”, with executive and board buy-in to the culture of security, has been a proven differentiator in creating effective cybersecurity policies.

3. Create an risk management team and risk register that qualifies and quantifies risks for remediation and subsequent mitigating steps. The team should create KPIs and audit and report on risk levels to show status and improvement year over year.

4. Improve visibility over highly sensitive data, converging protection of physical assets and digital assets. Lack of control and visibility over data and devices prevents the enforcement of data security policies and leaves organizations with no way to detect suspicious behavior. Our recent Ponemon study found that 63% of organizations could not monitor endpoint devices when they left the corporate network. Our data at-risk discovery tools give you the ability to scan endpoints for sensitive files (even those in cloud applications) and remotely recover and delete data from at-risk devices while Reach allows organizations to execute custom discovery, compliance and remediation tasks.

5. Incorporate automation into your security strategy. Most organizations piece their security strategy together, leaving gaps that create vulnerabilities to costly attacks. Only 28% of organizations currently incorporate automation into their security strategy, costing organizations significant amounts of money and resources chasing down false security alerts and leading to delays in breach detection and remediation.

The insider is merely a means to an end when it comes to cyber attack. The question is, how to detect and deter the insider threat? For more, read our Whitepaper: The Enemy Within – Insiders Are Still the Weakest Link in Your Data Security Chain

This week we learned another Anthem data breach is in the news – just one month after the health insurer agreed to pay $115 million to settle a class action lawsuit that stemmed from the 2015 breach that impacted nearly 80 million members and employees.
Fortunately for all involved, the new breach impacts just 18,500 of the company’s Medicare patients, a fraction of the people impacted in the 2015 incident. Initial reports say that an employee of one of Anthem’s third party contractors emailed a file containing personal health information (PHI), which included social security numbers, to his personal email. The employee has been arrested and it appears as though Anthem or the third party caught it early by taking precautionary steps with their partners to minimize the risk.
There is silver lining to what could have been a nightmare for Anthem: it’s likely the alleged thief was caught before he could abscond with far more data. As we know, Anthem provides medical insurance for millions of Americans, and if this person had been able to remain undetected for an extended period, the impact could have been catastrophic, both for Anthem and for patients.
Third party contractor risk
This incident is a good reminder for all organizations of how incredibly difficult it is to monitor the third party partners they rely on for additional services and processing. Difficult or not, it remains a critical necessity. Compliance auditing and minimum security standards (for example, requiring a solid endpoint strategy and products that can actively monitor devices for customer data) should be the ground floor for companies that deal with sensitive data, especially PHI. Which brings up another important point – this breach should be recognized within the context of GDPR which comes into full force in May, 2018.
While this particular incident appears to have been limited to a small number of American citizens, if a similar breach were to happen at another American company and the stolen data contained EU citizen data, we would likely see significant punitive penalties levied by the EU. Under the coming regulations, parties who collect the data initially are responsible for the use of customer data, even when it is handed off to a third party.
HIPPA has some very strong teeth of course, and I expect the fallout from this breach to be significant for Anthem and the processor. I do think that the relatively small number of records stolen may temper the damages to both organizations however.
If you’re collecting, storing, and handing off data, it is priority number one to ensure you know where all that data is, where it ends up, and who is using it at all times – no matter what. Identity theft through cybercrime continues to be a multi-billion dollar business for cybercriminals and those numbers are not likely to decrease.

62% of data security professionals don’t know where their sensitive data is, according to a report from Forrester on behalf of Varnish Systems. And that’s just the tip of the iceberg. Find out more — and why a layered approach to security works best…

It’s not surprising that insider threats continue to be a top source of cyberthreats for businesses. Mobility, the cloud, decentralization of IT, and shadow IT all combine to increase insider threats — and there are simply more ways that people can put data at risk.

It has been estimated that 90% of organizations will suffer at least one security incident this year. There is no question that organizations are suffering more data security incidents than ever before and that more of these incidents are translating into data breaches than ever before. While prevention is always important, detection and response are just as important.
Research indicates it can take an average of 256 days to identify a data breach caused by a malicious attack and 158 days for an attack caused by human error. When an attack goes undetected for this long, the potential for damage (both to the organization and victims of breached data) are so much worse. Accurately detecting a security incident is the first step toward effectively responding to it.
One of the top problems with detecting security incidents is that there are so many false positives created by current monitoring tools. The growth in mobile device use and in cloud use has expanded the attack surface exponentially; this has, as one would expect, resulted in even more security alerts.
Cloud Amplifies Alert Fatigue
According to a report from Sky-high, 18% of files in the cloud contain sensitive data with the average company experiencing 23.2 cloud-based security incidents each month. The report reveals that consumer cloud services represent 38.7% of total cloud services being used within the organization, a problem when it comes to ensuring data is adequately protected. The report also indicates the growing issue of “exception sprawl,” with actual blocking rates for unapproved cloud services falling below governance policies.
The data indicates that employees at the average enterprise collectively take over 2.7 billion unique actions in cloud services each month, with any single action potentially signalling a threat. From accidental or malicious actions (including a large percentage of files being externally shared), compromised accounts, or attacks that leverage the cloud as a vector for data exfiltration, the problem becomes whittling the 23.2 threats out of the 2.7 billion actions taken each month in the cloud. Pair this with the alerts being generated by every layer of security technology in place at organizations and you end up with a “needle in a haystack” scenario.
The storage of sensitive corporate data on unauthorized Cloud-based applications such as Dropbox, OneDrive, iCloud, and Box can lead to costly data breaches. While this survey indicates a known risk associated with cloud services organizations know about, it does not address the unsanctioned use of cloud services (Shadow IT). Whether sanctioned or not, it’s important that organizations have a way to regain visibility into the cloud.
Add Context to Your Alerts
Absolute DDS can help you bring your cloud use, sanctioned or cloud, back under the control of IT. Absolute Endpoint Data Discovery (EDD), a standard feature in Absolute Data & Device Security (DDS), you can detect data at risk on endpoints, including files being stored in the cloud. By defining the kind of sensitive data that is important to you, you can create customized alerts that provide the context you need to identify risks and to proactively enforce security policies or to remotely wipe sensitive data.
With the high volume of alerts being generated by your defense-in-depth security strategy, what you need is a way to add context to that data so that the important alerts don’t get lost along the way. Alert data generated by Absolute DDS and other security solutions can be fed into your SIEM solution and analyzed in context, offering a holistic view of the entire security posture of your organization. By doing so, you can combine the device, application, and data attributes collected by Absolute DDS to identify anomalies that may be indicative of insider threats, device theft, cyber-threats or critical issues with security solutions.
Contact us to learn how Absolute can add context to your security incident detection capabilities.

Mirroring the findings from the Business Perception of IT Security, which found that the Insider Threat (careless or uninformed employee actions) were the root cause of most data breaches and the top cyberthreat, the Cloud Security Survey from Netwrix found that 61% of respondents believe their own employees pose more risk to data security in the cloud than anyone else.
The second annual Cloud Security Survey polled 600 IT professionals from technology, government, healthcare, finance, manufacturing and other industries about their thoughts on the cloud and on data security. According to the findings, 70% of respondents believe security and privacy of data and systems in the cloud remains a top worry. The top three cloud security worries include unauthorized access, malware and denial of service (DoS) attacks.
While cyberattacks on data held in the cloud remains a worry, the survey reinforces that the true weakness in cloud security is people. As with endpoint security and network security, the core weakness is always people. At Absolute, we’ve talked about the Three Faces of the Insider Threat, which are the same across networks, endpoints and the cloud, and how understanding these types of behaviour can help mitigate the insider threat.
Gaining Visibility into the Cloud
95% of respondents in this survey consider visibility into user activities in the cloud to be an important element in cloud providers’ security guarantees, and yet such an offloading of responsibility is unrealistic and often non-compliant. You cannot rely on others to secure your corporate data, nor can you hope that cloud providers can provide any insight into the growing problems of Shadow IT.
Recent studies from Oracle and VMware have indicated the growth in Shadow IT related to cloud application and cloud storage, often driven by the decentralization of IT. While the majority of cloud applications lack enterprise-grade security and cause fragmentation that increases the risk of cyberattack, the real problem is visibility. If data is living in the cloud, how do you know it’s there?
Absolute is helping confront the dangers of unmonitored cloud storage use and the ongoing Insider Threats putting data at risk on the endpoint and in the cloud. Absolute Endpoint Data Discovery (EDD), which comes as part of Absolute DDS, scans for sensitive data being stored on endpoint devices, even if stored in cloud applications, with remote capabilities to wipe data and remediate security threats. To learn more, get started with your free evaluation version of Absolute DDS today.